Hello community, here is the log from the commit of package openssl for openSUSE:Factory checked in at 2013-11-29 07:03:09 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/openssl (Old) and /work/SRC/openSUSE:Factory/.openssl.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "openssl" Changes: -------- --- /work/SRC/openSUSE:Factory/openssl/openssl.changes 2013-10-24 14:10:46.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.openssl.new/openssl.changes 2013-11-29 07:03:10.000000000 +0100 @@ -1,0 +2,7 @@ +Sat Nov 23 08:23:59 UTC 2013 - [email protected] + +- Patches for OpenSSL FIPS-140-2/3 certification + Add patch files: openssl-1.0.1e-fips.patch, openssl-1.0.1e-fips-ec.patch, + openssl-1.0.1e-fips-ctor.patch + +------------------------------------------------------------------- New: ---- openssl-1.0.1e-fips-ctor.patch openssl-1.0.1e-fips-ec.patch openssl-1.0.1e-fips.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ openssl.spec ++++++ --- /var/tmp/diff_new_pack.EWFA2J/_old 2013-11-29 07:03:11.000000000 +0100 +++ /var/tmp/diff_new_pack.EWFA2J/_new 2013-11-29 07:03:11.000000000 +0100 @@ -58,6 +58,10 @@ # From Fedora openssl. Patch13: openssl-1.0.1c-ipv6-apps.patch Patch14: 0001-libcrypto-Hide-library-private-symbols.patch +# FIPS patches +Patch15: openssl-1.0.1e-fips.patch +Patch16: openssl-1.0.1e-fips-ec.patch +Patch17: openssl-1.0.1e-fips-ctor.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build %description @@ -78,6 +82,7 @@ %package -n libopenssl1_0_0 Summary: Secure Sockets and Transport Layer Security +License: OpenSSL Group: Productivity/Networking/Security Recommends: openssl-certs # bug437293 @@ -104,6 +109,7 @@ %package -n libopenssl-devel Summary: Include Files and Libraries mandatory for Development +License: OpenSSL Group: Development/Libraries/C and C++ Obsoletes: openssl-devel < %{version} Requires: %name = %version @@ -120,8 +126,19 @@ This package contains all necessary include files and libraries needed to develop applications that require these. +%package -n libopenssl1_0_0-hmac +Summary: HMAC files for FIPS-140-2 integrity checking of the openssl shared libraries +License: BSD-3-Clause +Group: Productivity/Networking/Security +Requires: libopenssl1_0_0 = %{version}-%{release} + +%description -n libopenssl1_0_0-hmac +The FIPS compliant operation of the openssl shared libraries is NOT +possible without the HMAC hashes contained in this package! + %package doc Summary: Additional Package Documentation +License: OpenSSL Group: Productivity/Networking/Security %if 0%{?suse_version} >= 1140 BuildArch: noarch @@ -148,6 +165,9 @@ %patch12 -p1 %patch13 -p1 %patch14 -p1 +%patch15 -p1 +%patch16 -p1 +%patch17 -p1 cp -p %{S:10} . echo "adding/overwriting some entries in the 'table' hash in Configure" @@ -193,12 +213,13 @@ %endif ./config --test-sanity # -config_flags="threads shared no-rc5 no-idea \ +config_flags="threads shared no-rc5 no-idea fips \ %ifarch x86_64 enable-ec_nistp_64_gcc_128 \ %endif enable-camellia \ zlib \ +no-ec2m \ --prefix=%{_prefix} \ --libdir=%{_lib} \ --openssldir=%{ssletcdir} \ @@ -245,6 +266,15 @@ make depend make LD_LIBRARY_PATH=`pwd` make rehash + +# for FIPS mode testing; the same hashes are being created later just before +# the wrap-up of the files into the package. +# These files are just there for the make test below... +crypto/fips/fips_standalone_hmac libcrypto.so.1.0.0 > .libcrypto.so.1.0.0.hmac +crypto/fips/fips_standalone_hmac libssl.so.1.0.0 > .libssl.so.1.0.0.hmac + +LD_LIBRARY_PATH=`pwd` make test FIPSCANLIB="" + %ifnarch armv4l LD_LIBRARY_PATH=`pwd` make test %endif @@ -258,6 +288,7 @@ %install rm -rf $RPM_BUILD_ROOT make MANDIR=%{_mandir} INSTALL_PREFIX=$RPM_BUILD_ROOT install +cp -a crypto/fips/fips_standalone_hmac $RPM_BUILD_ROOT/usr/bin/fips_standalone_hmac install -d -m755 $RPM_BUILD_ROOT%{ssletcdir}/certs ln -sf ./%{name} $RPM_BUILD_ROOT/%{_includedir}/ssl mkdir $RPM_BUILD_ROOT/%{_datadir}/ssl @@ -335,6 +366,29 @@ # Do not install demo scripts executable under /usr/share/doc find demos -type f -perm /111 -exec chmod 644 {} \; +# the hmac hashes: +# +# this is a hack that re-defines the __os_install_post macro +# for a simple reason: the macro strips the binaries and thereby +# invalidates a HMAC that may have been created earlier. +# solution: create the hashes _after_ the macro runs. +# +# this shows up earlier because otherwise the %expand of +# the macro is too late. +# remark: This is the same as running +# openssl dgst -sha256 -hmac 'ppaksykemnsecgtsttplmamstKMEs' +%{expand:%%global __os_install_post {%__os_install_post + +$RPM_BUILD_ROOT/usr/bin/fips_standalone_hmac \ + $RPM_BUILD_ROOT/%{_lib}/libssl.so.%{num_version} > \ + $RPM_BUILD_ROOT/%{_libdir}/.libssl.so.%{num_version}.hmac + +$RPM_BUILD_ROOT/usr/bin/fips_standalone_hmac \ + $RPM_BUILD_ROOT/%{_lib}/libcrypto.so.%{num_version} > \ + $RPM_BUILD_ROOT/%{_libdir}/.libcrypto.so.%{num_version}.hmac + +}} + #process openssllib mkdir $RPM_BUILD_ROOT/%{_lib} mv $RPM_BUILD_ROOT%{_libdir}/libssl.so.%{num_version} $RPM_BUILD_ROOT/%{_lib}/ @@ -342,7 +396,9 @@ mv $RPM_BUILD_ROOT%{_libdir}/engines $RPM_BUILD_ROOT/%{_lib}/ cd $RPM_BUILD_ROOT%{_libdir}/ ln -sf /%{_lib}/libssl.so.%{num_version} ./libssl.so +ln -sf /%{_lib}/libssl.so.%{num_version} ./libssl.so.%{num_version} ln -sf /%{_lib}/libcrypto.so.%{num_version} ./libcrypto.so +ln -sf /%{_lib}/libcrypto.so.%{num_version} ./libcrypto.so.%{num_version} for engine in 4758cca atalla nuron sureware ubsec cswift chil aep; do rm %{buildroot}/%{_lib}/engines/lib$engine.so @@ -365,6 +421,11 @@ /%{_lib}/libcrypto.so.%{num_version} /%{_lib}/engines +%files -n libopenssl1_0_0-hmac +%defattr(-, root, root) +%{_libdir}/.libssl.so.%{num_version}.hmac +%{_libdir}/.libcrypto.so.%{num_version}.hmac + %files -n libopenssl-devel %defattr(-, root, root) %{_includedir}/%{name}/ @@ -372,7 +433,9 @@ %exclude %{_libdir}/libcrypto.a %exclude %{_libdir}/libssl.a %{_libdir}/libssl.so +%{_libdir}/libssl.so.%{num_version} %{_libdir}/libcrypto.so +%{_libdir}/libcrypto.so.%{num_version} %_libdir/pkgconfig/libcrypto.pc %_libdir/pkgconfig/libssl.pc %_libdir/pkgconfig/openssl.pc @@ -393,6 +456,7 @@ %dir %{_datadir}/ssl %{_datadir}/ssl/misc %{_bindir}/c_rehash +%{_bindir}/fips_standalone_hmac %{_bindir}/%{name} %changelog ++++++ baselibs.conf ++++++ --- /var/tmp/diff_new_pack.EWFA2J/_old 2013-11-29 07:03:11.000000000 +0100 +++ /var/tmp/diff_new_pack.EWFA2J/_new 2013-11-29 07:03:11.000000000 +0100 @@ -3,3 +3,6 @@ libopenssl-devel requires -libopenssl-<targettype> requires "libopenssl1_0_0-<targettype> = <version>" +libopenssl1_0_0-hmac + requires -libopenssl1_0_0 = <version> + requires "libopenssl1_0_0-<targettype> = <version>-%release" ++++++ openssl-1.0.1e-fips-ctor.patch ++++++ Index: openssl-1.0.1e/crypto/fips/fips.c =================================================================== --- openssl-1.0.1e.orig/crypto/fips/fips.c +++ openssl-1.0.1e/crypto/fips/fips.c @@ -60,6 +60,8 @@ #include <dlfcn.h> #include <stdio.h> #include <stdlib.h> +#include <unistd.h> +#include <errno.h> #include "fips_locl.h" #ifdef OPENSSL_FIPS @@ -198,8 +200,10 @@ bin2hex(void *buf, size_t len) return hex; } -#define HMAC_PREFIX "." -#define HMAC_SUFFIX ".hmac" +#define HMAC_PREFIX "." +#ifndef HMAC_SUFFIX +#define HMAC_SUFFIX ".hmac" +#endif #define READ_BUFFER_LENGTH 16384 static char * @@ -279,19 +283,13 @@ end: } static int -FIPSCHECK_verify(const char *libname, const char *symbolname) +FIPSCHECK_verify(const char *path) { - char path[PATH_MAX+1]; - int rv; + int rv = 0; FILE *hf; char *hmacpath, *p; char *hmac = NULL; size_t n; - - rv = get_library_path(libname, symbolname, path, sizeof(path)); - - if (rv < 0) - return 0; hmacpath = make_hmac_path(path); if (hmacpath == NULL) @@ -341,6 +339,53 @@ end: return 1; } +static int +verify_checksums(void) + { + int rv; + char path[PATH_MAX+1]; + char *p; + + /* we need to avoid dlopening libssl, assume both libcrypto and libssl + are in the same directory */ + + rv = get_library_path("libcrypto.so." SHLIB_VERSION_NUMBER, "FIPS_mode_set", path, sizeof(path)); + if (rv < 0) + return 0; + + rv = FIPSCHECK_verify(path); + if (!rv) + return 0; + + /* replace libcrypto with libssl */ + while ((p = strstr(path, "libcrypto.so")) != NULL) + { + p = stpcpy(p, "libssl"); + memmove(p, p+3, strlen(p+2)); + } + + rv = FIPSCHECK_verify(path); + if (!rv) + return 0; + return 1; + } + +#ifndef FIPS_MODULE_PATH +#define FIPS_MODULE_PATH "/etc/system-fips" +#endif + +int +FIPS_module_installed(void) + { + int rv; + rv = access(FIPS_MODULE_PATH, F_OK); + if (rv < 0 && errno != ENOENT) + rv = 0; + + /* Installed == true */ + return !rv; + } + int FIPS_module_mode_set(int onoff, const char *auth) { int ret = 0; @@ -379,15 +424,7 @@ int FIPS_module_mode_set(int onoff, cons } #endif - if(!FIPSCHECK_verify("libcrypto.so." SHLIB_VERSION_NUMBER,"FIPS_mode_set")) - { - FIPSerr(FIPS_F_FIPS_MODULE_MODE_SET,FIPS_R_FINGERPRINT_DOES_NOT_MATCH); - fips_selftest_fail = 1; - ret = 0; - goto end; - } - - if(!FIPSCHECK_verify("libssl.so." SHLIB_VERSION_NUMBER,"SSL_CTX_new")) + if(!verify_checksums()) { FIPSerr(FIPS_F_FIPS_MODULE_MODE_SET,FIPS_R_FINGERPRINT_DOES_NOT_MATCH); fips_selftest_fail = 1; Index: openssl-1.0.1e/crypto/fips/fips.h =================================================================== --- openssl-1.0.1e.orig/crypto/fips/fips.h +++ openssl-1.0.1e/crypto/fips/fips.h @@ -74,6 +74,7 @@ struct hmac_ctx_st; int FIPS_module_mode_set(int onoff, const char *auth); int FIPS_module_mode(void); +int FIPS_module_installed(void); const void *FIPS_rand_check(void); int FIPS_selftest(void); int FIPS_selftest_failed(void); Index: openssl-1.0.1e/crypto/o_init.c =================================================================== --- openssl-1.0.1e.orig/crypto/o_init.c +++ openssl-1.0.1e/crypto/o_init.c @@ -70,6 +70,9 @@ static void init_fips_mode(void) { char buf[2] = "0"; int fd; + + /* Ensure the selftests always run */ + FIPS_mode_set(1); if (getenv("OPENSSL_FORCE_FIPS_MODE") != NULL) { @@ -85,9 +88,15 @@ static void init_fips_mode(void) * otherwise. */ - if (buf[0] == '1') + if (buf[0] != '1') + { + /* drop down to non-FIPS mode if it is not requested */ + FIPS_mode_set(0); + } + else { - FIPS_mode_set(1); + /* abort if selftest failed */ + FIPS_selftest_check(); } } #endif @@ -96,13 +105,19 @@ static void init_fips_mode(void) * Currently only sets FIPS callbacks */ -void OPENSSL_init_library(void) +void __attribute__ ((constructor)) OPENSSL_init_library(void) { static int done = 0; if (done) return; done = 1; #ifdef OPENSSL_FIPS + /* this should be an option, comment it, temporarily */ + /* if (!FIPS_module_installed()) + { + return; + } + */ RAND_init_fips(); init_fips_mode(); if (!FIPS_mode()) ++++++ openssl-1.0.1e-fips-ec.patch ++++++ ++++ 2054 lines (skipped) ++++++ openssl-1.0.1e-fips.patch ++++++ ++++ 20494 lines (skipped) -- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
